bugku web never_give_up

never_give_up

老规矩直接看源码，发现有1p.html

访问一下

发现自动跳转到bugku了，bp拦截抓包看看，发到重放器，发送看一看

从第二行--开始就是base64编码，然后解码得到

%22%3Bif(!%24_GET%5B'id'%5D)%0A%7B%0A%09header('Location%3A%20hello.php%3Fid%3D1')%3B%0A%09exit()%3B%0A%7D%0A%24id%3D%24_GET%5B'id'%5D%3B%0A%24a%3D%24_GET%5B'a'%5D%3B%0A%24b%3D%24_GET%5B'b'%5D%3B%0Aif(stripos(%24a%2C'.'))%0A%7B%0A%09echo%20'no%20no%20no%20no%20no%20no%20no'%3B%0A%09return%20%3B%0A%7D%0A%24data%20%3D%20%40file_get_contents(%24a%2C'r')%3B%0Aif(%24data%3D%3D%22bugku%20is%20a%20nice%20plateform!%22%20and%20%24id%3D%3D0%20and%20strlen(%24b)%3E5%20and%20eregi(%22111%22.substr(%24b%2C0%2C1)%2C%221114%22)%20and%20substr(%24b%2C0%2C1)!%3D4)%0A%7B%0A%09%24flag%20%3D%20%22flag%7B***********%7D%22%0A%7D%0Aelse%0A%7B%0A%09print%20%22never%20never%20never%20give%20up%20!!!%22%3B%0A%7D%0A%0A%0A%3F%3E

发现是url编码，继续解码

";if(!$_GET['id'])

{

header('Location: hello.php?id=1');

exit();

}

$id=$_GET['id'];

$a=$_GET['a'];

$b=$_GET['b'];

if(stripos($a,'.'))

{

echo 'no no no no no no no';

return ;

}

$data = @file_get_contents($a,'r');

if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)

{

$flag = "flag{***********}"

}

else

{

print "never never never give up !!!";

}

?>

仔细看代码

有3个参数a，b，c然后a不能有.id非空，b要满足’111’接上b的首个字符是’1114’的通配，并且首个字符不为’4’，并且长度大于5（正则表达式）

那么让data是’bugku is a nice plateform!'来获取flag

最后利用00截断绕过 eregi

eregi("111".substr($b,0,1),"1114")

b传入 %0012345 , 经过substr截取 空格 ，再与111拼接。  函数在 处理 111 时，遇见空格，会丢弃空格及后面的数据，即 111 变成111，此时 111在1114里面了。

所以最终的payload就是

0xg&a=php://input&b=%0012345

然后发送

得到flag